The Hacker News — Cyber Security, Hacking, Technology News

Microsoft has built its own custom Linux kernel to power "Azure Sphere," a newly launched technology that aims to better secure billions of "Internet of things" devices by combining the custom Linux kernel with new chip design, and its cloud security service.

Project Azure Sphere focuses on protecting microcontroller-based IoT devices, including smart appliances, connected toys, and other smart gadgets, Microsoft announced during the security-focused RSA Conference in San Francisco Monday.

It is basically a security package consists of three main components:

Azure Sphere-certified microcontrollers (MCUs)

Azure Sphere OS

Azure Sphere Security Service

"Azure Sphere provides security that starts in the hardware and extends to the cloud, delivering holistic security that protects, detects, and responds to threats—so they're always prepared," Microsoft said.

Internet of Things (IoT) devices are 'ridiculously' vulnerable to remote hacking, because they are not originally manufactured keeping security in mind.

One innocent looking insecure IoT device connected to your 'secured network' would be enough to cause security nightmares. In the past, we have seen how lack of security by design led to massive DDoS attacks powered by Mirai IoT botnet.

To address such issues, Azure Sphere offers a full-fledged solution that provides the best-in-class security and a trustworthy environment for future IoT devices, and at the same time makes the life of IoT device manufactures a lot easier.

Azure Sphere Certified Microcontrollers (MCUs)

Designed by Microsoft Research, the Azure Sphere Certified Microcontrollers is a new cross-over class of fixed-functional microcontroller chips that will be licensed to manufacturing partners for free, which comes with built-in connectivity, networking and Pluton security subsystems to ensure the security of future IoT devices.

"The Pluton Security Subsystem creates a hardware root of trust, stores private keys, and executes complex cryptographic operations," Microsoft said. "A new crossover MCU combines the versatility and power of a Cortex-A processor with the low overhead and real-time guarantees of a Cortex-M class processor."

"Each chip includes custom silicon security technology from Microsoft, inspired by 15 years of experience and learnings from Xbox, to secure this new class of MCUs and the devices they power," the company adds.

According to Microsoft president Brad Smith, the first Azure Sphere chip, called the "MT3620," will be made by Taiwan-based MediaTek and to be available in stores worldwide by the end of the year.

The Azure Sphere chips will also be compatible with other cloud services like Google Cloud, Amazon Web Services, and Oracle Cloud.

Azure Sphere OS (Linux-based)

The second component of the solution, called Azure Sphere OS, is a "defense-in-depth" operating system that comes with a security monitor and Microsoft's custom Linux kernel to offer multiple layers of security.

"Each Azure Sphere chip will include our Microsoft Pluton security subsystem, run the Azure Sphere OS, and connect to the Azure Sphere Security Service for simple and secure updates, failure reporting, and authentication," Microsoft says.

It is the first time when Microsoft created hardware that is designed to run only Linux, rather than its Windows operating system.

"We are a Windows company, but what we recognized is that the best solution for a computer of this size in a toy is not a full-blown version of Windows," Smith said. "It is a custom Linux Kernel, and it is an important step for us and the industry."

Azure Sphere Security Service (Cloud-based)

On top of everything, Azure Sphere Security Service is a cloud-based service that handles security and management of microcontroller chips.

The service offers device-to-device and device-to-cloud communication through certificate-based authentication to guards every Azure Sphere device.

It detects emerging security threats across the entire Azure Sphere ecosystem and also takes care of software updates.

Azure Sphere is now available in private preview, and the company will distribute software development kits to everyone interested in hacking Azure Sphere by the middle of this year. To find more details about Azure Sphere, you can head on to Microsoft Azure Sphere's blog.

Ken Munro, a security researcher at PenTest Partners, has managed to hack into an insecure iKettle, which was proclaimed "the world's first WiFi kettle" by its developers, and stolen a home's Wi-Fi password.

Besides boiling water, the iKettle can connect to a user's home WiFi network. It also comes inbuilt with an Android and iOS app that allows the user to switch on the kettle and boil the water from other location.

However, the biggest security flaw resides in the Android iKettle app that keeps the kettle's password as the default value. The iOS iKettle app sets a six-digit code, but that can still be broken.

Earlier today, when Raspberry Pi Foundation unveiled the second avatar of its mini computer, the tech giant Microsoft revealed that Windows 10 operating system will support the Raspberry Pi 2 for the development of smart devices and appliances.

Really a great news for all Micro-computing fans – a new, powerful Raspberry Pi 2 Model B in town. However, Microsoft added another reason to celebrate it – the new model of Raspberry Pi 2 runs Windows 10.

The all-new and powerful version of Raspberry Pi 2 brings a host of new hardware, including a Broadcom 900MHz quad-core ARM Cortex-A7 processor and 1GB of RAM. Raspberry Pi Foundation says that these upgrades make the Pi 2 Model B a much more powerful computer which costs $35 only.

Raspberry Pi 2 have six times the processing power of Model B+. Also, its quad-core chip and twice the amount of main memory will support more intensive processing tasks, which means the device can do almost everything a normal PC can, such as Word processing, Web surfing, among other tasks.

The Raspberry Pi is an extremely simple computer that looks and feels very basic, but could be built into a number of geeky projects. Because of low-cost appeal of the Raspberry Pi, the nonprofit Raspberry Pi Foundation has sold 4.5 million units.

In its blog announcing the Raspberry Pi 2, the organization says it’s been working closely with Microsoft for the last six months to bring the forthcoming Windows 10 to the new Raspberry Pi 2.

"Because it has an ARMv7 processor, it can run the full range of ARM GNU/Linux distributions, including Snappy Ubuntu Core, as well as Microsoft Windows 10," said Raspberry Pi creator Eben Upton.

Microsoft’s Windows 10 operating system is expected to launch this summer, and is designed to work across mobile and desktop as well. But What’s more? The new OS is being pitched at tablets, Xbox, hybrids, and the fast-emerging "Internet of Things."

It’s still unclear whether the version of Windows 10 will be any lighter than other installs, but Microsoft says it will share more details soon.

"We are excited about our work with the Raspberry Pi Foundation and to share that Windows 10 will support Raspberry Pi 2," wrote Kevin Dallas, General Manager of Windows IoT Group, Microsoft. "We will be sharing more details about our Windows 10 plans for IoT in the coming months."

So far, Raspberry Pi Foundation has supported a handful of operating systems, including Linux, and now it will support Windows.

Hacking Internet of Things (IoTs) have become an amazing practice for cyber criminals out there, but messing with Traffic lights would be something more crazy for them.

The hacking scenes in hollywood movies has just been a source of entertainment for the technology industry, like we've seen traffic lights hacked in Die Hard and The Italian Job, but these movies always inspire hackers to perform similar hacking attacks in day-to-day life.

Security researchers at the University of Michigan have not only hacked traffic light signals in real life, but also claimed that it’s actually shockingly easy to perform by anyone with a laptop and the right kind of radio. If we compare the traffic light hacks in movies and real life, the reality is much easier.

In a paper study published this month, the security researchers describe how a series of major security vulnerabilities in traffic light systems allowed them to very easily and very quickly seized control of the whole system of at least 100 traffic signals in an unnamed Michigan city from a single point of access.

Researchers took permission from a local road agency before performing the hack, but they did not disclose exactly where in Michigan they did their research.

‟Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” the paper explained.

SECURITY HOLES IN TRAFFIC LIGHT SYSTEMS

The team, led by University of Michigan computer scientist J. Alex Halderman, said that the networked traffic systems are left vulnerable to three major weaknesses:

unencrypted radio signals,

the use of factory-default usernames and passwords, and

a debugging port that is easy to attack

This left the network accessible to everyone from cyber criminals to young hackers.

“The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness,” the researchers report in a paper.

In an effort to save on installation costs and increase flexibility, the traffic light system makes use of wireless radio signals rather than dedicated physical networking links for its communication infrastructure - this hole was exploited by the researchers. Surprisingly, more than 40 states currently use such systems to keep traffic flowing as efficiently as possible.

“The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case,” the team said. “We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. We leveraged these flaws to create attacks which gain control of the system, and we successfully demonstrate them on the deployment.”

WIRELESS SECURITY IN QUESTIONS

The Traffic light systems use a combination of 5.8GHz and 900MHz radio signals, depending on the conditions at each intersection, for wireless communication in point-to-point or point-to-multipoint configurations. The 900MHz links use "a proprietary protocol with frequency hopping spread-spectrum (FHSS)," but the 5.8GHz version of the proprietary protocol isn't terribly different from 802.11n.

The researchers says that anyone with a laptop and a wireless card operating on the same frequency as the wirelessly networked traffic light — in this case, 5.8 gigahertz — could access the entire unencrypted network.

DEBUG PORT

Now, after gaining access, next was to communicate with one of the controllers in their target network. This was done very easily due to the fact that this system’s the control boxes run VxWorks 5.5, a version which by default gets built from source with a debug port left accessible for testing.

“By sniffing packets sent between the controller and this program, we discovered that communication to the controller is not encrypted, requires no authentication, and is replayable. Using this information, we were then able to reverse engineer parts of the communication structure,” the paper reads.

“Various command packets only differ in the last byte, allowing an attacker to easily determine remaining commands once one has been discovered. We created a program that allows a user to activate any button on the controller and then displays the results to the user. We also created a library of commands which enable scriptable attacks. We tested this code in the field and were able to access the controller remotely.”

This debug port allowed researchers to successfully turned all lights red or alter the timing of neighboring intersections — for example, to make sure someone hit all green lights on a given route.

More worrying part is the ability of a cyber criminal to perform denial-of-service (DoS) attack on controlled intersections by triggering each intersection’s malfunction management unit by attempting invalid configurations, which would put the lights into a failure mode.

SOLUTION TO PROBLEM

At last, the team called for manufacturers and operators to improve the security of traffic infrastructure. It recommended that the traffic-system administrators should not use default usernames and passwords, as well as they should stop broadcasting communications unencrypted for “casual observers and curious teenagers” to see.

"While traffic control systems may be built to fail into a safe state, we have shown that they are not safe from attacks by a determined adversary," the paper concluded.

Moreover, they also warned that devices like voting machines and even connected cars could suffer similar attacks.

The popular home surveillance webcam service DropCam that keep an eye on your house when you aren’t there, can be used as a weapon against you by the cybercriminals, claimed a pair of researchers.

San Francisco-based DropCam, last month announced it would be acquired by Google’s Nest for $555 million in cash, makes home-monitoring cameras for the past five years, which allow users to keep track of what's going on inside their homes using a small surveillance camera.

Two researchers named Patrick Wardle and Colby Moore of Synack who discovered the weakness in the Wi-Fi enabled video monitoring system, which they will demonstrate at the DEFCON 22 Hacker Conference in Las Vegas next month.

This WiFi-enabled security camera, that comes for $149 or $199, depending on video quality, requires little-to-no-effort to maintain. You plug it in, get it up on your WiFi, and all is set. If you want to check in on your cameras remotely, it cost you nothing, and if you want DropCam to keep an archive of the recorded footage on their servers, it will cost you from $10 to $30 a month.

The discovered weakness could allow hackers to spy on the targets by watching video and "hot-mike" audio on the cameras, inject fake videos into the surveillance startup in an effort to hide their malicious activities and use the compromised system to attack network.

The hardware of DropCam was reverse engineered by the researchers that allow them to insert a malware "implant" on the device and make them exploit the software vulnerabilities they found in the device's internal software.

"If someone has physical access [to a DropCam device], it's pretty much game over," the director of research at Synack, Wardle told DarkReading. "People need to be aware that these devices can be accessed by hackers or adversaries, and they should be scrutinized in the way people protect their laptops for instance.”

Apart from other hardware and software weaknesses in the DropCam equipment, researchers discovered a Heartbleed vulnerability used in the cloud-based WiFi video monitoring service.

The device runs an outdated and unpatched version of an open source Unix toolkit BusyBox, that may not even receive updates, and the older as well as vulnerable version of OpenSSL that made it vulnerable to the critical Heartbleed bug.

Heartbleed, the biggest internet threat, is a critical vulnerability in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data in the plaintext, that the server did not intend to reveal.

An attacker could exploit the Heartbleed vulnerability in the OpenSSL in order to fetch passwords and SSL server's private key.

"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the DropCam DNS server, and the camera would beacon out," Wardle says. "You could throw a Heartbleed exploit and start dumping memory and get [digital] certs."

Moreover, researchers would also reveal how to infect Windows or Mac OS X boxes that were used to configure the vulnerable DropCam systems. The duo will provide a detailed demonstration on their findings in their presentation titled, "Optical Surgery: Implanting a DropCam,” at DEF CON hacking Conference, which will be held on August 10.

Like we are so much proactive towards security vulnerabilities of our computers and networks, in the same way their is an important need to actively tackle the security issues with the Internet of Things (IoTs) devices such as this DropCam cameras.

Until now, we have seen how different smart home appliances such as refrigerators, TVs and routers could expose our private data, but now you can add another worry to your list —LED light bulb. Don’t laugh! It’s true.

Researchers at UK security firm Context have formulated an attack against the Wi-Fi connected lightbulbs, which is available to buy in the UK, that exposes credentials of the Wi-Fi network, it relies on to operate, to anyone in accessibility to one of the LED devices.

Security vulnerabilities found in the LIFX Smart light bulbs, that can be controlled by the iOS-based and Android-based devices, could allow an attacker to gain access to a “master bulb” and with the help of that they could control all connected bulbs across that network, and help them expose user network configurations.

Along with other Internet of Things (IoTs) devices, the smart bulbs are part of a rising trend in which the manufacturers enclose computing and networking capabilities to their devices so that it can be easily controlled remotely by using a smartphone, computer, and other network-connected device. LIFX ran a popular fundraising campaign in 2012 on Kickstarter, raising more than $1.3 million (£760,000) which was more than 13 times the original goal of $100,000 (£59,000).

But before delivering the smart bulbs to home consumers, the company failed to properly encrypt all data in the wireless protocols it used when enrolling new bulbs on the network. The oversight allowed the researchers to craft messages to the networked bulbs within about 30 meters, forcing them to obtain security credentials used to secure the connected Wi-Fi network.

The WiFi network credentials are captured in specific packets by passing from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the wifi details were encrypted by the Advanced Encryption Standard (AES), the researchers were able to obtain the secret key shared between bulbs on the network, making it easy for the attacker to decipher the payload.

"Armed with knowledge of the encryption algorithm, key, initialisation vector, and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the Wi-Fi details, and decrypt the credentials, all without any prior authentication or alerting of our presence," researchers from security consultancy Context wrote.

“It should be noted, since this attack works on the 802.15.4 6LoWPAN wireless mesh network, an attacker would need to be within wireless range, ~30 meters, of a vulnerable LIFX bulb to perform this attack, severely limiting the practicality for exploitation on a large scale.”

LIFX quickly responded to the Context findings and has now issued a firmware update to its smart bulb firmware, which encrypted all 6LoWPAN traffic and secured the process supporting new bulbs on the network.

The company said that it was unaware of any users being affected by the security issue and released LIFX security update.

“In rare circumstances the security issue could expose network configuration details on the mesh radio, requiring a person to dismantle a bulb, reverse engineer the debug connection and firmware, then be physically present with dedicated hardware within the bounds of your WiFi network (not from the internet). Eg. Someone hiding in your garden with complex technical equipment. No LIFX users have been affected that we are aware of, and as always we recommend that all users stay up to date with the latest firmware and app updates,” the firm said in a blog post.

As the increase in the manufactures of Smart TVs by different companies, it could be estimated that by 2016, over 100 million TVs are expected to be connected to the Internet and in the time it may rise as a profitable fruit for the malware authors and cyber criminals to exploit these devices.

The 48 year-old Eugene Kaspersky, one of the world's top technology security experts, has thrown light on the future of Computer Security and warned that Internet of Things (IoT) such as TVs, Refrigerators, Microwave or dishwashers will necessarily bring undesirable cyber threats to your home environment, because any device connected to the Internet is vulnerable and can be infected.

"The threats will diversify to mobile phones and to the home environment, such as through televisions, which are now connected to the Internet," he said in an interview with the Telegraph.

The Internet of Things is said to be the next evolutionary step in our connected world that has been already become a major target for cyber criminals.

We have reported before that how 100,000 Refrigerators and other smart household appliances were compromised by hackers to send out 750,000 malicious spam emails; A Linux worm 'Linux.Darlloz' is hijacking Home Routers, Set-top boxes, Security Cameras, printers to mine Crypto Currencies like Bitcoin.

Kaspersky said his company's global research and development headquarters in Moscow is receiving around 315,000 suspicious activity reports on daily basis, that has doubled over the past year. The threats might crawl to the new sectors other than mobile phones and computer systems.

“There are millions of attacks a year on Microsoft Windows, thousands on mobile phones, mostly on Android, and dozens on Apple’s iOS. But more and more engineers are developing software for Android,” he said.

But according to him “technically it is possible to infect millions of devices” because all devices are vulnerable and it is very much possible to see cyber criminals developing viruses for iOS devices.

The fact that I really like what he says, “What’s the difference been a TV and a computer? A bigger screen and a remote control. It has Android inside and memory chips and Internet connections. That’s all.” Well said!

He also warned users that as the Internet of Things (IoTs) increases, users need to have top security packages installed on their devices.

“It’s just a question of time. We already have a product for mobile and we have a prototype for TV so we are ready to address this issue when new malware for television is released by criminals.”

In the last few years, this emerging domain for the Internet of Things has been attracting the significant interest, and will continue for the years to come. It would be a $20 Trillion Market over the next several years, but Security and privacy are the key issues for such applications, and still face some enormous challenges.

Tomorrow, 8th April could be a sad day for all those who are still using Windows XP, as it is an official assassination day of it, but there is also a good news that Microsoft is going to stop charging for its Windows Operating System on on the devices with screens smaller than nine inches.

Yes, Free a Windows OS for the Internet of Things (IoTs), such as Mobile Devices, Smart thermostats, Smart TVs, wearable devices etc., that was announced by Microsoft at Build 2014 conference on Wednesday.

“To accelerate the creation of great mobile devices running Windows and grow our number of users, we announced today that Windows will be available for $0 to hardware partners for Windows Phones and tablets smaller than 9” in size,” said Terry Myerson, executive vice president, OS Group at Microsoft and he also added that it will include a one-year subscription to Office 365.

FREE, BUT NOT OPEN SOURCE

Free Windows, means the manufacturers of small tablets, phones and any other small devices won't have to buy a license from Microsoft.

According to Microsoft, Windows for Internet of Things will use the same code base as Windows Phone 8, which will run only the mobile apps, not any desktop software, and also they didn't mention about open sourcing the code base of Windows for IoTs, as Google’s Android.

The reason behind it may be in an effort to make it tough for hackers to exploit the operating system and to ensure the code is sound and secure.

Distributing free Windows could be a prominent step, but it’s one that Microsoft needed to take earlier, because Google’s free mobile operating system - Android is used widespread among the consumer electronics devices. The reason Microsoft required to move on to some strategic approach is to catch up with Google's Android and Apple's iOS operating systems.

Since, Google’s android is an open source, which is freely available to everyone, so anyone can use it without paying a single penny and even Apple is also pushing itself hard to bring its operating system prices towards zero.

But, on the other hand, Microsoft is charging $10 for its Windows Phone operating system on each Smartphone and tablet, which made existence toilful for Microsoft in recent years. So, to boost its monopoly in the world of smart devices, Microsoft took a tremendous move in a right direction.

The new update will definitely help Microsoft to beef up its app marketplace, as it allows developers to build apps for Windows 8.1 tablets, as well as for Windows Phone 8.1 Devices.

WINDOWS PHONE 8.1

In addition, Microsoft has also announced the next version of the Windows Phone operating system, Windows Phone 8.1, which comes with several new features, including the voice controlled Cortana digital assistant.

Cortana is named after a female character in Microsoft's Halo video game, and is aimed as a competitor to Apple's Siri for iOS. Microsoft said Cortana can interact with third-party Windows Phone apps such Skype, Hulu Plus, Facebook and Twitter, all of which can be controlled via voice commands.

Previous articles on The Hacker News have highlighted that How Internet of Things (IoT) opens your home to cyber threats.

Recently the security researchers from vulnerability research firm ReVuln published a video demonstration shows that Philips Smart TV is prone to cyber attacks by hackers.

According to the researchers, some versions of Philips Smart TV with latest firmware update are wide open to hackers and also vulnerable to cookie theft.

The fault is in a feature called Miracast, that allows TVs to act as a WiFi access point with a hard-coded password ‘Miracast,’ and allows devices nearby within the range to connect the device for receiving the screen output.

“The main problem is that Miracast uses a fixed password, doesn't show a PIN number to insert and, moreover, doesn't ask permission to allow the incoming connection,” Luigi Auriemma, CEO and security researcher at ReVuln, told SCMagazine.

The vulnerability allows an attacker within the device’s WiFi range to access its various features. The potential attacker can:

Access the TV's configuration files

Access files stored on USB devices attached to the TV

Replace the image on screen with video or images of its choice

Control the TVs via an external remote control application

Steal website authentication cookies from the TV's browser

“So basically you just connect directly to the TV via WiFi, without restrictions. Miracas is enabled by default and the password cannot be changed.” Luigi said.

The Researchers tested the flaw on Philips 55PFL6008S TV, but believe that many 2013 models are also affected because of the same firmware installed.

However, such attacks are not possible to happen in the wild, but if your neighbor is enough smart and knows your WiFi password, then either you should change your password to stronger one or turn off the Miracast feature on your Philips Smart TV.

Philip says, "Our experts are looking into this and are working on a fix. In the meantime, we recommend customers to switch off their Miracast function of the TV to avoid any vulnerability."

Could a perfectly innocent looking device like router, TV set-top box or security cameras can mine Bitcoins? YES! Hackers will not going to spare the Smart Internet-enabled devices.

A Linux worm named Linux.Darlloz, earlier used to target Internet of Things (IoT) devices, i.e. Home Routers, Set-top boxes, Security Cameras, printers and Industrial control systems; now have been upgraded to mine Crypto Currencies like Bitcoin.

Security Researcher at Antivirus firm Symantec spotted the Darlloz Linux worm back in November and they have spotted the latest variant of the worm in mid-January this year.

Linux.Darlloz worm exploits a PHP vulnerability (CVE-2012-1823) to propagate and is capable to infect devices those run Linux on Intel’s x86 chip architecture and other embedded device architectures such as PPC, MIPS and MIPSEL.

The latest variant of Linux.Darlloz equipped with an open source crypto currency mining tool called 'cpuminer', could be used to mine Mincoins, Dogecoins or Bitcoins.

Symantec Researchers scanned the entire address space of the Internet and found 31,716 devices infected with Darlloz. "By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing). These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization." Kaoru Hayashi, senior development manager and threat analyst with Symantec in Japan.

Major infected countries are China, the U.S., South Korea, Taiwan and India.

Crypto Currency typically requires more memory and a powerful CPUs, so the malware could be updated to target other IoT devices in the future, such as home automation devices and wearable technology.

A Few weeks back, Cisco has announced a global and industry-wide initiative to bring the Security community and Researchers together to contribute in securing the Internet of Things (IoT) and launched a contest called the "Internet of Things Grand Security Challenge", offering prizes of up to $300,000 for winners.

Users are advised to update firmware and apply security patches for all software installed on computers or Internet-enabled devices. Make sure, you are not using default username or password for all devices and block port 23 or 80 from outside if not required.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

In the last few years, this emerging domain for the Internet of Things has been attracting the significant interest, and will continue for the years to come. It would be a $20 Trillion Market over the next several years, but Security and privacy are the key issues for such applications, and still face some enormous challenges.

Cisco has announced a global and industry-wide initiative to bring the Security community and Researchers together to contribute in securing the Internet of Things (IoT) and launched a contest called the "Internet of Things Grand Security Challenge", offering prizes of up to $300,000 for winners.

Since Smart devices are growing at an exponential pace with increase in connecting devices embedded in cars, retail systems, refrigerators, televisions and countless other things people use in everyday life and is expected to grow to 50 billion by 2020. So, in an effort to deliver the security solutions necessary to protect the increasing range of connected devices in the Internet of Things, Cisco has challenged security experts around the world.

"We're connecting more of our world every day through smart, IP-enabled devices ranging from home appliances, healthcare devices, and industrial equipment. These new connected devices are offering new ways to share information and are changing the way we live," reads the blog post.

The Contest was announced by the senior vice president of the security group at Cisco, Christopher Young, in his keynote at this week's RSA Conference, said "the idea is 'a contest of experts around the world to submit blueprints' for how security issues created by the Internet of Things could be addressed. It's expected that up to six winning entries would be selected and the prize money awarded at the Internet of Things Forum in the fall."

It's expected that up to six winning entries would be selected and the prize money from $50,000 to $75,000 would be awarded by Cisco to winning contestants at the Internet of Things Forum in the fall.

A Cisco team of security experts will evaluate proposals based on the following criteria:

So, in future the "Internet of Things" can become an easy weapon for cyber criminals to launch large scale of cyber attacks and to protect ourselves, we should have a good and effective security solution, in which Cisco is contributing a way.

The winners of the Internet of Things Security Grand Challenge will be named in the northern autumn of 2014, by The Evaluation Panel of Cisco.

Have you given shed to Zombies in your house? No???? May be you have no idea about it. After Computers, Servers, Routers, Mobiles, Tablets…. Now its turn of your home appliances to be a weapon or a victim of cyber war.

Recently Security Researchers from Proofpoint found more than 100,000 Smart TVs, Refrigerator, and other smart household appliances compromised by hackers to send out 750,000 malicious spam emails.

As the ’Internet of Things’ becoming smart and popular it became an easy weapon for cyber criminals to launch large scale of cyber attacks.

“The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014, and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide."

Previously, such attacks were only drafted theoretically by researchers, but this is the first such proven attack involved smart household appliances that are used as 'thingBots'- Thing Robots.

Like your personal computers can be unknowingly compromised to built a huge botnet network that can be used to launch cyber attacks, in the similar way your Smart Household Appliances and other components of the "Internet of Things" can be transformed into slaves by the cyber criminals.

The worst thing with these smart appliances is that it can be easily approached by cyber criminals due to its 24 hour availability on the Internet with an add-on of poorly protected Internet environment i.e. Poor misconfiguration and the use of default passwords.

More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator. No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location -- and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.”

Now it seems that we have 100's of cyber weapon in our home or in another way 100's of vulnerable dynamites living with us.

This time it has been just a spam mail attack, but answer me.. How much damage could a group of well-trained hackers do, economic and otherwise, if they really wanted to? Reply us your views in the comment box (below). Stay with us, Stay Safe!

After being an owner of Smartphones, now it’s your turn to own a Smart Car. Wouldn’t it sound great if you could use your favorite mobile apps on Car's dashboard display?

Yes! You heard right.. Google has tied-up with several Auto manufacturers with the goal to bring Android to Cars with built-in controls and hardware by the end of this year.

Google has announced at the CES technology trade show in Las Vegas, the Open Automotive Alliance (OAA) will achieve this with their partners i.e. General Motors, Honda, Audi, Hyundai and chipmaker Nvidia.

This new project is designed to accelerate innovation in the Automotive sector, with the customized version of most popular mobile platform 'Android' for Cars, that will bring Google Places, Maps, Voice, Earth and developer support to cars.

"This open development model and common platform will allow automakers to more easily bring cutting-edge technology to their drivers, and create new opportunities for developers to deliver powerful experiences for drivers and passengers in a safe and scalable way." Press release says.

Google is working with United States National Highway Traffic Safety Administration to ensure the safety of drivers using Android features in their cars. To Boost the processing power of the system, Nvidia's Tegra K1 quad-core processor will be deployed.

Android and Security issues: The Android Car will be a full fledged node in the Internet which will give enhanced flexibility and functionality of services but at the same time we will most probably face all the threats that are channeled through the internet.

Thousands of Road Accidents have occurred because of Mobile usage during driving, but now we have Mobile based Cars, so the security of the driver will now depend upon the smartness of the applications installed. The car's Android system can be hacked if it's linked to the owner's Smartphone. There will be no doubt if we will see something like "Rooting your Cars" soon.

Also Malware is another factor that can pose a serious security issue to life. According to various threat reports, Android is the majorly vulnerable to hackers and malware because of its own weak architecture. Also, it is already proven that an android device can be converted into a Spying bug using a simple malicious application, that can record the surrounding conversation via microphone to upload it to the hacker's server.

Another Major concern is that, Google is a U.S based Company and all FISA Secret orders are again applied on this project too. Will Google be able to stop National Security Agency (NSA) for backdooring our privacy and Security while driving.

So, Google should consider applying all available Security & Privacy measures on these future' Smart Cars to defend against cyber attacks and NSA.

Have you seen the Coca-Cola "Freestyle" soda fountain yet? Instead of levers for different sodas, you have got a touchscreen, interface like an iPad and with a Push button you can have 127 Flavors of sodas.

There are more than 3,500 such machines are installed inside the world’s Burger Kings and all of them are connected to the internet, so that Coca-Cola can track inventory and making stock decisions.

Last week the developer of GNU MACChanger software, Alvaro Lopez Ortegafound that Coca-Cola has reserved a huge block of MAC addresses, i.e. 16 Million. These could conceivably be used in the future for tagging physical devices, Freestyle Soda machines or vending machines.

Media Access Control address, a hardware address that uniquely identifies each node of a network. Every piece of hardware on your local network has a MAC address in addition to the IP address assigned to it by the local router or a server.

IEEE has a Registration Authority called OUI that manages the assignments of 802-defined MAC addresses and usually reserved by companies that sell networking cards and equipment including Apple, HP, IBM, Samsung, Cisco, Intel.

OUI is assigned with MA-L identifier block that can be used to identify an organization/company where a globally unique identifier is needed. In that IEEE MA-L list the Coca-Cola's registration of MAC address is listed as:

FC-D4-F2
The Coca Cola Company
One Coca Cola Plaza
Atlanta GA 30313
UNITED STATES

No Doubt, "The Internet of Things" is already gaining momentum and now Coca-Cola is in the race. The Internet of Things that promises to make life easier in countless ways, but as with any technology seeing an upswing, it’s to be expected that there will be associated security questions and challenges.

All a hacker need is - Search engine like Shodan, designed specifically to locate any devices that have been carelessly plugged into the Internet without much attempt at preventing unauthorized access.